Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
12/09/2024, 08:04
General
-
Target
e351668d68d45749607c1a6cfb1de480N.exe
-
Size
67KB
-
MD5
e351668d68d45749607c1a6cfb1de480
-
SHA1
5c5419d549d690406ea5a8f3791d0927db999584
-
SHA256
1fbd5101492ab9a490ccf0f925c0e672858a6ff31aeba78c217481366ef62a2a
-
SHA512
4be86887e25f9f7811c819f1b61f61109fd9c3cffc453b0eb4cb04514bab4aa834103a8bcc28ae5c79d28fbaeec46419302fb116f99aee5ca1d64360be4dcae6
-
SSDEEP
1536:EgXsfgWQN1kYsRxWTg3PwSWe991Rdolpdz6JAkAT:1tWYfGATvPe9slp+ApT
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e351668d68d45749607c1a6cfb1de480N.exe"C:\Users\Admin\AppData\Local\Temp\e351668d68d45749607c1a6cfb1de480N.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 08:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 08:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5f23e298e411934479fadfc91239817f1
SHA10112be0069266ddffcfce6c58bb967a8715b1e3c
SHA256bf508ffb1b27f06a4aa0c9c5c0a337d20045ac952c1dd93223dabc91c247d8f4
SHA5126a7111455ced3361b26dabc5302db4861ace506c49a002d41a0b90580a6beefdcc7cd39f57f13b7e807022d280575429c00a061bdcc229a81398379e0c0b76ab
-
Filesize
67KB
MD52e53505b5c2ab1a777b9ddd2653b7d13
SHA1b1e3295c6b3d7599d5d54e21c691c089a880d9ee
SHA256bf5d1d9ed6185b8ea0dadd8c6446ed8968f11775302fad4e0ab52889497a23b2
SHA512a17769e778c6860e1eb9dee50e41480d37385b34660d98737ccc5a76f79bd232454ec2595841459cc1bbf8127544efe599095a440caaabd9f4e4534a7542f41a
-
Filesize
67KB
MD51b6a37931c7d67600a7ba81be4770a3b
SHA1dd21980ede33952e6ac51fbb85d96a2a430e2073
SHA2563a30570c72e91ce9639c0344d1cf435ab803afca627fbb01b584aa5c0ff8a733
SHA512969807d1f8d8869b9c1fc8cdc1dcfb260ed57dfd732b28ca032b5d307f68f9e94c2492db838b28f071e937f310aaa2c11c8c504a479c4d580c74cdffa9e0a333
-
Filesize
67KB
MD59cb0df7d41bd5bac697181c0a6252e6c
SHA15f576bc5abf710bcbeb46ee700c507bfadb0dd6f
SHA256ab3d8ab7ed81dc97de3d6cc380814e059527e56e96b1baf93bbe52095560934c
SHA5127c80b6a5d0712b929d925617dae9d2d3ccddf185952d88e22c1b247e0ad577bf25178d3f05640ea82a0dd98b3cd9f6e30bdcabdb64f3c3ae9fda0bedb6679ce5
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
16KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
16KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB